Skip to content

OCPBUGS-83863: Strip debug symbols from Go binaries#1525

Merged
openshift-merge-bot[bot] merged 2 commits into
openshift:mainfrom
sdodson:strip-go-binaries
Jun 11, 2026
Merged

OCPBUGS-83863: Strip debug symbols from Go binaries#1525
openshift-merge-bot[bot] merged 2 commits into
openshift:mainfrom
sdodson:strip-go-binaries

Conversation

@sdodson

@sdodson sdodson commented May 25, 2026

Copy link
Copy Markdown
Member

Summary

  • Add -s -w to ldflags in GO_BUILD_RECIPE to strip DWARF debug info and symbol tables from the main operator binary
  • Fix build-gather-sysinfo and build-performance-profile-creator targets which intended to strip but had a make-vs-shell variable expansion bug ($(LDFLAGS) is expanded by make before the shell runs, so the shell variable set on the previous line was never used)

Impact

The cluster-node-tuning-operator image (617 MB) contains three unstripped Go binaries totaling 195 MB:

  • cluster-node-tuning-operator (96.8 MB)
  • gather-sysinfo (63.8 MB)
  • performance-profile-creator (34.6 MB)

Stripping typically reduces Go binary size by 20-30%, reducing container image pull time during node scale-up.

Test plan

  • Verify image builds successfully
  • Verify binaries are stripped (file /usr/bin/cluster-node-tuning-operator should show "stripped")
  • Verify operator functions correctly

Summary by CodeRabbit

  • Chores
    • Updated build configuration to reduce binary sizes and streamline compilation across multiple build targets.
    • Applied the same build optimizations to additional build and test targets to ensure consistent output and faster, smaller artifacts.

Add -s -w to ldflags to strip DWARF debug info and symbol tables.
This typically reduces binary size by 20-30%, which reduces container
image pull time during node scale-up.

Also fix build-gather-sysinfo and build-performance-profile-creator
targets which intended to strip but had a make-vs-shell variable
expansion bug: they set a shell variable LDFLAGS then referenced
$(LDFLAGS) which make expands (to empty) before the shell runs.

rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels May 25, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@sdodson: This pull request references Jira Issue OCPBUGS-83863, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

  • Add -s -w to ldflags in GO_BUILD_RECIPE to strip DWARF debug info and symbol tables from the main operator binary
  • Fix build-gather-sysinfo and build-performance-profile-creator targets which intended to strip but had a make-vs-shell variable expansion bug ($(LDFLAGS) is expanded by make before the shell runs, so the shell variable set on the previous line was never used)

Impact

The cluster-node-tuning-operator image (617 MB) contains three unstripped Go binaries totaling 195 MB:

  • cluster-node-tuning-operator (96.8 MB)
  • gather-sysinfo (63.8 MB)
  • performance-profile-creator (34.6 MB)

Stripping typically reduces Go binary size by 20-30%, reducing container image pull time during node scale-up.

Test plan

  • Verify image builds successfully
  • Verify binaries are stripped (file /usr/bin/cluster-node-tuning-operator should show "stripped")
  • Verify operator functions correctly

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested review from ffromani and swatisehgal May 25, 2026 15:02
@coderabbitai

coderabbitai Bot commented May 25, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f7597fb3-2fde-4d3b-950f-ecdf67582ed0

📥 Commits

Reviewing files that changed from the base of the PR and between 18d9b3b and 486ad19.

📒 Files selected for processing (1)
  • Makefile
🚧 Files skipped from review as they are similar to previous changes (1)
  • Makefile

Walkthrough

The Makefile adds Go linker strip flags (-s -w) to build recipes. The main GO_BUILD_RECIPE and two specialized targets (build-performance-profile-creator, build-gather-sysinfo) now pass -ldflags "-s -w" inline with version injection; cluster-node-tuning-operator-test-ext also adds -ldflags "-s -w".

Changes

Binary size optimization via Go linker flags

Layer / File(s) Summary
Go linker stripping flags in build recipes
Makefile
GO_BUILD_RECIPE, build-performance-profile-creator, build-gather-sysinfo, and cluster-node-tuning-operator-test-ext are updated to include -s -w in Go linker flags; the two specialized targets switch from a LDFLAGS shell variable to inline -ldflags including -s -w and the -X ...=$(REV) version injection.

🎯 2 (Simple) | ⏱️ ~10 minutes


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name Status Explanation Resolution
Stable And Deterministic Test Names ❌ Error PR adds 9 test files with dynamic test names using fmt.Sprintf, e.g., It(fmt.Sprintf("%s set", sysctlVar)) and It(fmt.Sprintf("modules: %s loaded", moduleName)). Replace fmt.Sprintf test names with static strings. Move dynamic values to test bodies, e.g.: Change It(fmt.Sprintf("%s set", sysctlVar)) to It("should set the sysctl parameter").
Ipv6 And Disconnected Network Test Compatibility ⚠️ Warning New test cpu_management.go calls KnownIssueJira() which makes HTTP requests to external https://issues.redhat.com endpoint, failing in disconnected environments. Wrap external calls with NO_BZ_CHECKS env variable checks or add [Skipped:Disconnected] to test names.
✅ Passed checks (13 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: adding Go linker stripping flags to reduce binary sizes by removing debug symbols.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Test Structure And Quality ✅ Passed PR contains only Makefile changes for binary stripping (adding -s -w ldflags); no Ginkgo test code modifications, so test quality check is not applicable.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added in this PR. The changes are limited to Makefile modifications for Go binary stripping flags, making this check not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed This PR only modifies the Makefile to add -s -w debug stripping flags to Go binary builds. No new Ginkgo e2e tests are added, so the SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility ✅ Passed PR only modifies Makefile build flags (-s -w ldflags) to strip debug symbols. No scheduling constraints, deployment manifests, or operator code changes introduced.
Ote Binary Stdout Contract ✅ Passed Linker flags -s -w only strip debug metadata and have no runtime behavior impact; main.go has no stdout writes in process-level code, satisfying OTE Binary Stdout Contract requirements.
No-Weak-Crypto ✅ Passed PR contains only Makefile changes adding Go linker stripping flags (-s -w); no cryptographic code, weak algorithms, or insecure comparisons present.
Container-Privileges ✅ Passed PR only modifies Makefile to add Go binary stripping flags (-s -w); no changes to container or K8s manifests that contain privilege configurations.
No-Sensitive-Data-In-Logs ✅ Passed PR only adds binary stripping flags to Makefile and standard operational logging (version info, error messages). No sensitive data like passwords, tokens, API keys, or PII are logged.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@jmencak

jmencak commented May 25, 2026

Copy link
Copy Markdown
Contributor

Thank you for the PR, Scott. Do we want to do the same thing for cluster-node-tuning-operator-test-ext? It will grow large soon as we add more tests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

rh-pre-commit.version: 2.4.0
rh-pre-commit.check-secrets: ENABLED
@sdodson

sdodson commented Jun 9, 2026

Copy link
Copy Markdown
Member Author

Good call, done — added -ldflags "-s -w" to the cluster-node-tuning-operator-test-ext build target in the latest commit.

@sdodson

sdodson commented Jun 9, 2026

Copy link
Copy Markdown
Member Author

The gzipped binary is about half as large once stripped.

~ podman run -it --entrypoint /bin/sh `oc adm release info 4.22.0 --image-for cluster-node-tuning-operator`
sh-5.1# dnf install -y binutils
sh-5.1# ls -la cluster-node-tuning-operator*
-rwxr-xr-x. 1 root root 101535656 May 19 16:47 cluster-node-tuning-operator
-rwxr-xr-x. 1 root root  11113396 May 19 16:47 cluster-node-tuning-operator-test-ext.gz
sh-5.1# gzip -d cluster-node-tuning-operator-test-ext.gz 
sh-5.1# strip cluster-node-tuning-operator*
sh-5.1# gzip cluster-node-tuning-operator-test-ext 
sh-5.1# ls -la cluster-node-tuning-operator*
-rwxr-xr-x. 1 root root 72069048 Jun  9 17:48 cluster-node-tuning-operator
-rwxr-xr-x. 1 root root  5684280 Jun  9 17:48 cluster-node-tuning-operator-test-ext.gz

@jmencak

jmencak commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

/retest

1 similar comment
@jmencak

jmencak commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

/retest

@jmencak

jmencak commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 10, 2026
@openshift-ci

openshift-ci Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jmencak, sdodson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 10, 2026
@sdodson

sdodson commented Jun 10, 2026

Copy link
Copy Markdown
Member Author

/verified by CI

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 10, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@sdodson: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD 7fa9ba7 and 2 for PR HEAD 486ad19 in total

@jmencak

jmencak commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

/retest

@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

@sdodson: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit 07687ef into openshift:main Jun 11, 2026
20 checks passed
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@sdodson: Jira Issue OCPBUGS-83863: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-83863 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Summary

  • Add -s -w to ldflags in GO_BUILD_RECIPE to strip DWARF debug info and symbol tables from the main operator binary
  • Fix build-gather-sysinfo and build-performance-profile-creator targets which intended to strip but had a make-vs-shell variable expansion bug ($(LDFLAGS) is expanded by make before the shell runs, so the shell variable set on the previous line was never used)

Impact

The cluster-node-tuning-operator image (617 MB) contains three unstripped Go binaries totaling 195 MB:

  • cluster-node-tuning-operator (96.8 MB)
  • gather-sysinfo (63.8 MB)
  • performance-profile-creator (34.6 MB)

Stripping typically reduces Go binary size by 20-30%, reducing container image pull time during node scale-up.

Test plan

  • Verify image builds successfully
  • Verify binaries are stripped (file /usr/bin/cluster-node-tuning-operator should show "stripped")
  • Verify operator functions correctly

Summary by CodeRabbit

  • Chores
  • Updated build configuration to reduce binary sizes and streamline compilation across multiple build targets.
  • Applied the same build optimizations to additional build and test targets to ensure consistent output and faster, smaller artifacts.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants